A group of European privacy experts has proposed a decentralized system for Bluetooth-based COVID-19 contacts tracing which they argue offers greater protection against abuse and misuse of people’s data than apps which pull data into centralized pots.
The protocol — which they’re calling Decentralized Privacy-Preserving Proximity Tracing (DP-PPT) — has been designed by around 25 academics from at least seven research institutions across Europe, including the Swiss Federal Institute of Technology, ETH Zurich and KU Leuven in Belgium.
They’ve published a White Paper detailing their approach here.
The key element is that the design entails local processing of contacts tracing and risk on the user’s device, based on devices generating and sharing ephemeral Bluetooth identifiers (referred to as EphIDs in the paper).
A backend server is used to push data out to devices — i.e. when an infected person is diagnosed with COVID-19 a health authority would sanction the upload from the person’s device of a compact representation of EphIDs over the infectious period which would be sent to other devices so they could locally compute whether there is a risk and notify the user accordingly.
Under this design there’s no requirement for pseudonymized IDs to be centralized, where the pooled data would pose a privacy risk. Which in turn should make it easier to persuade EU citizens to trust the system — and voluntarily download contacts tracing app using this protocol — given it’s architected to resist being repurposed for individual-level state surveillance.
The group does discuss some other potential threats — such as posed by tech savvy users who could eavesdrop on data exchanged locally, and decompile/recompile the app to modify elements — but the overarching contention is such risks are small and more manageable vs creating centralized pots of data that risk paving the way for ‘surveillance creep’, i.e. if states use a public health crisis as an opportunity to establish and retain citizen-level tracking infrastructure.
The DP-PPT has been designed with its own purpose-limited dismantling in mind, once the public health crisis is over.
“Our protocol is demonstrative of the fact that privacy-preserving approaches to proximity tracing are possible, and that countries or organisations do not need to accept methods that support risk and misuse,” writes professor Carmela Troncoso, of EPFL. “Where the law requires strict necessity and proportionality, and societal support is behind proximity tracing, this decentralized design provides an abuse-resistant way to carry it out.”
In recent weeks governments all over Europe have been leaning on data controllers to hand over user data for a variety of coronavirus tracking purposes. Apps are also being scrambled to market by the private sector — including symptom reporting apps that claim to help researchers fight the disease. While tech giants spy PR opportunities to repackage persistent tracking of Internet users for a claimed public healthcare cause, however vague the actual utility.